2

A number of my servers are not able to sync into our WSUS server. On digging, we noticed a number of group policies are not being applied.

On running rsop.msc, I get the following error message:

Group Policy Infrastructure failed due to the error listed below.
Network access is denied.

Googling revealed an event error code of 1508.

I've tried a few things listed to fix this, but I don't know what permissions to apply on the SYSVOL directory on the domain controller.

  1. What are the proper permissions to apply on the sysvol directory for the polices in the domain?

  2. Is there anything else I should try to fix the 1508 error code?

A bit more info:

Domain Controllers are Windows 2012.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
Jeff
  • 661
  • 7
  • 13
  • 26

1 Answers1

3

You can use the following procedure to reset the permissions on the sysvol share. This is for server 2008(R2) if you have a different OS, please add it to comments and I'll edit this if applicable

1.Open Notepad, and then enter the following information:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=default perms for sysvol
[File Security]
;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"

2.Save this file as Sysvol.inf.

3.Open a new Command Prompt. Do not use an existing command prompt that has been open on your desktop because it will not have the proper environment settings. Change the directory to the folder where you saved the Sysvol.inf file in step 1

4.At the new command prompt, type the following command all on one line, and then press ENTER:

secedit /configure /cfg <path>\sysvol.inf /db <path>\sysvol.db /overwrite

Reference https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx

As for anything else, some more information is needed. Ipconfig, Server OS, gpresult /h (for both DC and an affected server would be helpful)

Drifter104
  • 3,693
  • 2
  • 22
  • 39
  • I am actually using Server 2012. I should have mentioned that. – Jeff May 20 '15 at 12:43
  • 1
    Jeff, I've not seen an updated script for 2012, but this script hasn't changed since 2003. It is the same for 2003 - > 2008r2. All I can say is if you want to try it with 2012 have good backups – Drifter104 May 20 '15 at 13:15